Case APIsedit

This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Access

  1. APIKey KeyParamName:ApiKey KeyInQuery:false KeyInHeader:true
  2. HTTP Basic Authentication

Methods

[ Jump to Models ]

Table of Contents

Cases

Cases

Up
post /s/{spaceId}/api/cases/{caseId}/comments
Adds a comment or alert to a case. (addCaseComment)
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.

Path parameters

caseId (required)
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Consumes

This API call consumes the following media types via the Content-Type request header:
  • application/json

Request body

add_case_comment_request add_case_comment_request (required)
Body Parameter

Request headers

kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null

Return type

Example data

Content-Type: application/json
{
  "owner" : "cases",
  "totalComment" : 0,
  "settings" : {
    "syncAlerts" : true
  },
  "totalAlerts" : 0,
  "closed_at" : "2000-01-23T04:56:07.000+00:00",
  "comments" : [ null, null ],
  "assignees" : [ {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  }, {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  } ],
  "created_at" : "2022-05-13T09:16:17.416Z",
  "description" : "A case description.",
  "title" : "Case title 1",
  "created_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "version" : "WzUzMiwxXQ==",
  "closed_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "tags" : [ "tag-1" ],
  "duration" : 120,
  "updated_at" : "2000-01-23T04:56:07.000+00:00",
  "updated_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "external_service" : {
    "external_title" : "external_title",
    "pushed_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "external_url" : "external_url",
    "pushed_at" : "2000-01-23T04:56:07.000+00:00",
    "connector_id" : "connector_id",
    "external_id" : "external_id",
    "connector_name" : "connector_name"
  }
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call. case_response_properties

401

Authorization information is missing or invalid. 4xx_response

Up
post /s/{spaceId}/api/cases
Creates a case. (createCase)
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.

Path parameters

spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Consumes

This API call consumes the following media types via the Content-Type request header:
  • application/json

Request body

create_case_request create_case_request (required)
Body Parameter

Request headers

kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null

Return type

Example data

Content-Type: application/json
{
  "owner" : "cases",
  "totalComment" : 0,
  "settings" : {
    "syncAlerts" : true
  },
  "totalAlerts" : 0,
  "closed_at" : "2000-01-23T04:56:07.000+00:00",
  "comments" : [ null, null ],
  "assignees" : [ {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  }, {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  } ],
  "created_at" : "2022-05-13T09:16:17.416Z",
  "description" : "A case description.",
  "title" : "Case title 1",
  "created_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "version" : "WzUzMiwxXQ==",
  "closed_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "tags" : [ "tag-1" ],
  "duration" : 120,
  "updated_at" : "2000-01-23T04:56:07.000+00:00",
  "updated_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "external_service" : {
    "external_title" : "external_title",
    "pushed_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "external_url" : "external_url",
    "pushed_at" : "2000-01-23T04:56:07.000+00:00",
    "connector_id" : "connector_id",
    "external_id" : "external_id",
    "connector_name" : "connector_name"
  }
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call. case_response_properties

401

Authorization information is missing or invalid. 4xx_response

Up
delete /s/{spaceId}/api/cases
Deletes one or more cases. (deleteCase)
You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Path parameters

spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Request headers

kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null

Query parameters

ids (required)
Query Parameter — The cases that you want to removed. All non-ASCII characters must be URL encoded. default: null

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

204

Indicates a successful call.

401

Authorization information is missing or invalid. 4xx_response

Up
delete /s/{spaceId}/api/cases/{caseId}/comments/{commentId}
Deletes a comment or alert from a case. (deleteCaseComment)
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Path parameters

caseId (required)
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
commentId (required)
Path Parameter — The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Request headers

kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

204

Indicates a successful call.

401

Authorization information is missing or invalid. 4xx_response

Up
delete /s/{spaceId}/api/cases/{caseId}/comments
Deletes all comments and alerts from a case. (deleteCaseComments)
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Path parameters

caseId (required)
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Request headers

kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

204

Indicates a successful call.

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/{caseId}/user_actions/_find
Finds user activity for a case. (findCaseActivity)
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

caseId (required)
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Query parameters

page (optional)
Query Parameter — The page number to return. default: 1
perPage (optional)
Query Parameter — The number of user actions to return per page. default: 20
sortOrder (optional)
Query Parameter — Determines the sort order. default: asc
types (optional)
Query Parameter — Determines the types of user actions to return. default: null

Return type

Example data

Content-Type: application/json
{
  "userActions" : [ {
    "owner" : "cases",
    "action" : "create",
    "created_at" : "2022-05-13T09:16:17.416Z",
    "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
    "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
    "type" : "create_case",
    "created_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "version" : "WzM1ODg4LDFd"
  }, {
    "owner" : "cases",
    "action" : "create",
    "created_at" : "2022-05-13T09:16:17.416Z",
    "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
    "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
    "type" : "create_case",
    "created_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "version" : "WzM1ODg4LDFd"
  } ],
  "total" : 1,
  "perPage" : 6,
  "page" : 0
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call. findCaseActivity_200_response

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/{caseId}/comments
Retrieves all the comments from a case. (getAllCaseComments)
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

caseId (required)
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Return type

Example data

Content-Type: application/json
{
  "owner" : "cases",
  "totalComment" : 0,
  "settings" : {
    "syncAlerts" : true
  },
  "totalAlerts" : 0,
  "closed_at" : "2000-01-23T04:56:07.000+00:00",
  "comments" : [ null, null ],
  "assignees" : [ {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  }, {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  } ],
  "created_at" : "2022-05-13T09:16:17.416Z",
  "description" : "A case description.",
  "title" : "Case title 1",
  "created_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "version" : "WzUzMiwxXQ==",
  "closed_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "tags" : [ "tag-1" ],
  "duration" : 120,
  "updated_at" : "2000-01-23T04:56:07.000+00:00",
  "updated_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "external_service" : {
    "external_title" : "external_title",
    "pushed_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "external_url" : "external_url",
    "pushed_at" : "2000-01-23T04:56:07.000+00:00",
    "connector_id" : "connector_id",
    "external_id" : "external_id",
    "connector_name" : "connector_name"
  }
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call. case_response_properties

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/{caseId}
Retrieves information about a case. (getCase)
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

caseId (required)
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Query parameters

includeComments (optional)
Query Parameter — Determines whether case comments are returned. default: true

Return type

Example data

Content-Type: application/json
{
  "owner" : "cases",
  "totalComment" : 0,
  "settings" : {
    "syncAlerts" : true
  },
  "totalAlerts" : 0,
  "closed_at" : "2000-01-23T04:56:07.000+00:00",
  "comments" : [ null, null ],
  "assignees" : [ {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  }, {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  } ],
  "created_at" : "2022-05-13T09:16:17.416Z",
  "description" : "A case description.",
  "title" : "Case title 1",
  "created_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "version" : "WzUzMiwxXQ==",
  "closed_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "tags" : [ "tag-1" ],
  "duration" : 120,
  "updated_at" : "2000-01-23T04:56:07.000+00:00",
  "updated_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "external_service" : {
    "external_title" : "external_title",
    "pushed_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "external_url" : "external_url",
    "pushed_at" : "2000-01-23T04:56:07.000+00:00",
    "connector_id" : "connector_id",
    "external_id" : "external_id",
    "connector_name" : "connector_name"
  }
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call. case_response_properties

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/{caseId}/user_actions
Returns all user activity for a case. (getCaseActivity)
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

caseId (required)
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Return type

Example data

Content-Type: application/json
{
  "owner" : "cases",
  "action_id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
  "case_id" : "22df07d0-03b1-11ed-920c-974bfa104448",
  "action" : "create",
  "created_at" : "2022-05-13T09:16:17.416Z",
  "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
  "type" : "create_case",
  "created_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  }
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call.

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/{caseId}/alerts
Gets all alerts attached to a case. (getCaseAlerts)
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

caseId (required)
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Return type

Example data

Content-Type: application/json
{
  "index" : "index",
  "id" : "id",
  "attached_at" : "2000-01-23T04:56:07.000+00:00"
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call.

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/{caseId}/comments/{commentId}
Retrieves a comment from a case. (getCaseComment)
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

caseId (required)
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
commentId (required)
Path Parameter — The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Return type

Example data

Content-Type: application/json
null

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call. getCaseComment_200_response

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/configure
Retrieves external connection details, such as the closure type and default connector for cases. (getCaseConfiguration)
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration.

Path parameters

spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Query parameters

owner (optional)
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null

Return type

Example data

Content-Type: application/json
{
  "closure_type" : "close-by-user",
  "owner" : "cases",
  "mappings" : [ {
    "action_type" : "overwrite",
    "source" : "title",
    "target" : "summary"
  }, {
    "action_type" : "overwrite",
    "source" : "title",
    "target" : "summary"
  } ],
  "connector" : {
    "name" : "none",
    "id" : "none",
    "fields" : "{}",
    "type" : ".none"
  },
  "updated_at" : "2022-06-01T19:58:48.169Z",
  "updated_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "created_at" : "2022-06-01T17:07:17.767Z",
  "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error" : "error",
  "created_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "version" : "WzIwNzMsMV0="
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call.

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/configure/connectors/_find
Retrieves information about connectors. (getCaseConnectors)
In particular, only the connectors that are supported for use in cases are returned. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.

Path parameters

spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Return type

Example data

Content-Type: application/json
{
  "isPreconfigured" : true,
  "isDeprecated" : true,
  "actionTypeId" : ".none",
  "referencedByCount" : 0,
  "name" : "name",
  "id" : "id",
  "config" : {
    "projectKey" : "projectKey",
    "apiUrl" : "apiUrl"
  },
  "isMissingSecrets" : true
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call.

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/reporters
Returns information about the users who opened cases. (getCaseReporters)
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.

Path parameters

spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Query parameters

owner (optional)
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null

Return type

Example data

Content-Type: application/json
{
  "full_name" : "full_name",
  "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
  "email" : "email",
  "username" : "elastic"
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call.

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/status
Returns the number of cases that are open, closed, and in progress. (getCaseStatus)
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Query parameters

owner (optional)
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null

Return type

Example data

Content-Type: application/json
{
  "count_in_progress_cases" : 6,
  "count_open_cases" : 1,
  "count_closed_cases" : 0
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call. getCaseStatus_200_response

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/tags
Aggregates and returns a list of case tags. (getCaseTags)
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Query parameters

owner (optional)
Query Parameter — A filter to limit the retrieved case statistics to a specific set of applications. If this parameter is omitted, the response contains tags from all cases that the user has access to read. default: null

Return type

array[String]

Example data

Content-Type: application/json
""

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call.

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/_find
Retrieves a paginated subset of cases. (getCases)
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Query parameters

assignees (optional)
Query Parameter — Filters the returned cases by assignees. Valid values are none or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. default: null
defaultSearchOperator (optional)
Query Parameter — The default operator to use for the simple_query_string. default: OR
fields (optional)
Query Parameter — The fields in the entity to return in the response. default: null
from (optional)
Query Parameter — [preview] Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. default: null
owner (optional)
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
page (optional)
Query Parameter — The page number to return. default: 1
perPage (optional)
Query Parameter — The number of cases to return per page. default: 20
reporters (optional)
Query Parameter — Filters the returned cases by the user name of the reporter. default: null
search (optional)
Query Parameter — An Elasticsearch simple_query_string query that filters the objects in the response. default: null
searchFields (optional)
Query Parameter — The fields to perform the simple_query_string parsed query against. default: null
severity (optional)
Query Parameter — The severity of the case. default: null
sortField (optional)
Query Parameter — Determines which field is used to sort the results. default: createdAt
sortOrder (optional)
Query Parameter — Determines the sort order. default: desc
status (optional)
Query Parameter — Filters the returned cases by state. default: null
tags (optional)
Query Parameter — Filters the returned cases by tags. default: null
to (optional)
Query Parameter — [preview] Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. default: null

Return type

Example data

Content-Type: application/json
{
  "count_in_progress_cases" : 6,
  "per_page" : 5,
  "total" : 2,
  "cases" : [ {
    "owner" : "cases",
    "totalComment" : 0,
    "settings" : {
      "syncAlerts" : true
    },
    "totalAlerts" : 0,
    "closed_at" : "2000-01-23T04:56:07.000+00:00",
    "comments" : [ null, null ],
    "assignees" : [ {
      "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
    }, {
      "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
    } ],
    "created_at" : "2022-05-13T09:16:17.416Z",
    "description" : "A case description.",
    "title" : "Case title 1",
    "created_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "version" : "WzUzMiwxXQ==",
    "closed_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "tags" : [ "tag-1" ],
    "duration" : 120,
    "updated_at" : "2000-01-23T04:56:07.000+00:00",
    "updated_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
    "external_service" : {
      "external_title" : "external_title",
      "pushed_by" : {
        "full_name" : "full_name",
        "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
        "email" : "email",
        "username" : "elastic"
      },
      "external_url" : "external_url",
      "pushed_at" : "2000-01-23T04:56:07.000+00:00",
      "connector_id" : "connector_id",
      "external_id" : "external_id",
      "connector_name" : "connector_name"
    }
  }, {
    "owner" : "cases",
    "totalComment" : 0,
    "settings" : {
      "syncAlerts" : true
    },
    "totalAlerts" : 0,
    "closed_at" : "2000-01-23T04:56:07.000+00:00",
    "comments" : [ null, null ],
    "assignees" : [ {
      "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
    }, {
      "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
    } ],
    "created_at" : "2022-05-13T09:16:17.416Z",
    "description" : "A case description.",
    "title" : "Case title 1",
    "created_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "version" : "WzUzMiwxXQ==",
    "closed_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "tags" : [ "tag-1" ],
    "duration" : 120,
    "updated_at" : "2000-01-23T04:56:07.000+00:00",
    "updated_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
    "external_service" : {
      "external_title" : "external_title",
      "pushed_by" : {
        "full_name" : "full_name",
        "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
        "email" : "email",
        "username" : "elastic"
      },
      "external_url" : "external_url",
      "pushed_at" : "2000-01-23T04:56:07.000+00:00",
      "connector_id" : "connector_id",
      "external_id" : "external_id",
      "connector_name" : "connector_name"
    }
  } ],
  "count_open_cases" : 1,
  "count_closed_cases" : 0,
  "page" : 5
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call. getCases_200_response

401

Authorization information is missing or invalid. 4xx_response

Up
get /s/{spaceId}/api/cases/alerts/{alertId}
Returns the cases associated with a specific alert. (getCasesByAlert)
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

alertId (required)
Path Parameter — An identifier for the alert. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Query parameters

owner (optional)
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null

Return type

Example data

Content-Type: application/json
[ {
  "id" : "06116b80-e1c3-11ec-be9b-9b1838238ee6",
  "title" : "security_case"
} ]

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call.

401

Authorization information is missing or invalid. 4xx_response

Up
post /s/{spaceId}/api/cases/{caseId}/connector/{connectorId}/_push
Pushes a case to an external service. (pushCase)
You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. You must also have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're pushing.

Path parameters

caseId (required)
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
connectorId (required)
Path Parameter — An identifier for the connector. To retrieve connector IDs, use the find connectors API. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Consumes

This API call consumes the following media types via the Content-Type request header:
  • application/json

Request body

body object (optional)
Body Parameter

Request headers

kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null

Return type

Example data

Content-Type: application/json
{
  "owner" : "cases",
  "totalComment" : 0,
  "settings" : {
    "syncAlerts" : true
  },
  "totalAlerts" : 0,
  "closed_at" : "2000-01-23T04:56:07.000+00:00",
  "comments" : [ null, null ],
  "assignees" : [ {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  }, {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  } ],
  "created_at" : "2022-05-13T09:16:17.416Z",
  "description" : "A case description.",
  "title" : "Case title 1",
  "created_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "version" : "WzUzMiwxXQ==",
  "closed_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "tags" : [ "tag-1" ],
  "duration" : 120,
  "updated_at" : "2000-01-23T04:56:07.000+00:00",
  "updated_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "external_service" : {
    "external_title" : "external_title",
    "pushed_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "external_url" : "external_url",
    "pushed_at" : "2000-01-23T04:56:07.000+00:00",
    "connector_id" : "connector_id",
    "external_id" : "external_id",
    "connector_name" : "connector_name"
  }
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call. case_response_properties

401

Authorization information is missing or invalid. 4xx_response

Up
post /s/{spaceId}/api/cases/configure
Sets external connection details, such as the closure type and default connector for cases. (setCaseConfiguration)
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. Refer to the add connectors API. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details.

Path parameters

spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Consumes

This API call consumes the following media types via the Content-Type request header:
  • application/json

Request body

setCaseConfiguration_request setCaseConfiguration_request (optional)
Body Parameter

Request headers

kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null

Return type

Example data

Content-Type: application/json
{
  "closure_type" : "close-by-user",
  "owner" : "cases",
  "mappings" : [ {
    "action_type" : "overwrite",
    "source" : "title",
    "target" : "summary"
  }, {
    "action_type" : "overwrite",
    "source" : "title",
    "target" : "summary"
  } ],
  "connector" : {
    "name" : "none",
    "id" : "none",
    "fields" : "{}",
    "type" : ".none"
  },
  "updated_at" : "2022-06-01T19:58:48.169Z",
  "updated_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "created_at" : "2022-06-01T17:07:17.767Z",
  "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error" : "error",
  "created_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "version" : "WzIwNzMsMV0="
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call. getCaseConfiguration_200_response_inner

401

Authorization information is missing or invalid. 4xx_response

Up
patch /s/{spaceId}/api/cases
Updates one or more cases. (updateCase)
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating.

Path parameters

spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Consumes

This API call consumes the following media types via the Content-Type request header:
  • application/json

Request body

update_case_request update_case_request (optional)
Body Parameter

Request headers

kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null

Return type

Example data

Content-Type: application/json
{
  "owner" : "cases",
  "totalComment" : 0,
  "settings" : {
    "syncAlerts" : true
  },
  "totalAlerts" : 0,
  "closed_at" : "2000-01-23T04:56:07.000+00:00",
  "comments" : [ null, null ],
  "assignees" : [ {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  }, {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  } ],
  "created_at" : "2022-05-13T09:16:17.416Z",
  "description" : "A case description.",
  "title" : "Case title 1",
  "created_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "version" : "WzUzMiwxXQ==",
  "closed_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "tags" : [ "tag-1" ],
  "duration" : 120,
  "updated_at" : "2000-01-23T04:56:07.000+00:00",
  "updated_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "external_service" : {
    "external_title" : "external_title",
    "pushed_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "external_url" : "external_url",
    "pushed_at" : "2000-01-23T04:56:07.000+00:00",
    "connector_id" : "connector_id",
    "external_id" : "external_id",
    "connector_name" : "connector_name"
  }
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call.

401

Authorization information is missing or invalid. 4xx_response

Up
patch /s/{spaceId}/api/cases/{caseId}/comments
Updates a comment or alert in a case. (updateCaseComment)
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.

Path parameters

caseId (required)
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Consumes

This API call consumes the following media types via the Content-Type request header:
  • application/json

Request body

update_case_comment_request update_case_comment_request (required)
Body Parameter

Request headers

kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null

Return type

Example data

Content-Type: application/json
{
  "owner" : "cases",
  "totalComment" : 0,
  "settings" : {
    "syncAlerts" : true
  },
  "totalAlerts" : 0,
  "closed_at" : "2000-01-23T04:56:07.000+00:00",
  "comments" : [ null, null ],
  "assignees" : [ {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  }, {
    "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  } ],
  "created_at" : "2022-05-13T09:16:17.416Z",
  "description" : "A case description.",
  "title" : "Case title 1",
  "created_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "version" : "WzUzMiwxXQ==",
  "closed_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "tags" : [ "tag-1" ],
  "duration" : 120,
  "updated_at" : "2000-01-23T04:56:07.000+00:00",
  "updated_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "external_service" : {
    "external_title" : "external_title",
    "pushed_by" : {
      "full_name" : "full_name",
      "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "email" : "email",
      "username" : "elastic"
    },
    "external_url" : "external_url",
    "pushed_at" : "2000-01-23T04:56:07.000+00:00",
    "connector_id" : "connector_id",
    "external_id" : "external_id",
    "connector_name" : "connector_name"
  }
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call. case_response_properties

401

Authorization information is missing or invalid. 4xx_response

Up
patch /s/{spaceId}/api/cases/configure/{configurationId}
Updates external connection details, such as the closure type and default connector for cases. (updateCaseConfiguration)
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. Refer to the add connectors API.

Path parameters

configurationId (required)
Path Parameter — An identifier for the configuration. default: null
spaceId (required)
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null

Consumes

This API call consumes the following media types via the Content-Type request header:
  • application/json

Request body

updateCaseConfiguration_request updateCaseConfiguration_request (optional)
Body Parameter

Request headers

kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null

Return type

Example data

Content-Type: application/json
{
  "closure_type" : "close-by-user",
  "owner" : "cases",
  "mappings" : [ {
    "action_type" : "overwrite",
    "source" : "title",
    "target" : "summary"
  }, {
    "action_type" : "overwrite",
    "source" : "title",
    "target" : "summary"
  } ],
  "connector" : {
    "name" : "none",
    "id" : "none",
    "fields" : "{}",
    "type" : ".none"
  },
  "updated_at" : "2022-06-01T19:58:48.169Z",
  "updated_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "created_at" : "2022-06-01T17:07:17.767Z",
  "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error" : "error",
  "created_by" : {
    "full_name" : "full_name",
    "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "email" : "email",
    "username" : "elastic"
  },
  "version" : "WzIwNzMsMV0="
}

Produces

This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.
  • application/json

Responses

200

Indicates a successful call.

401

Authorization information is missing or invalid. 4xx_response

Models

[ Jump to Methods ]

Table of Contents

  1. 4xx_response - Unsuccessful cases API response
  2. Case_response_properties_for_comments_inner -
  3. Case_response_properties_for_connectors - Case response properties for connectors
  4. action_types -
  5. actions -
  6. add_alert_comment_request_properties - Add case comment request properties for alerts
  7. add_case_comment_request - Add case comment request
  8. add_user_comment_request_properties - Add case comment request properties for user comments
  9. alert_comment_response_properties - Add case comment response properties for alerts
  10. alert_comment_response_properties_rule -
  11. alert_identifiers - Alert identifiers
  12. alert_indices - Alert indices
  13. alert_response_properties -
  14. assignees_inner -
  15. case_response_closed_by_properties - Case response properties for closed_by
  16. case_response_created_by_properties - Case response properties for created_by
  17. case_response_properties - Case response properties
  18. case_response_pushed_by_properties - Case response properties for pushed_by
  19. case_response_updated_by_properties - Case response properties for updated_by
  20. closure_types -
  21. connector_properties_cases_webhook - Create or upate case request properties for Cases Webhook connector
  22. connector_properties_jira - Create or update case request properties for a Jira connector
  23. connector_properties_jira_fields -
  24. connector_properties_none - Create or update case request properties for no connector
  25. connector_properties_resilient - Create case request properties for a IBM Resilient connector
  26. connector_properties_resilient_fields -
  27. connector_properties_servicenow - Create case request properties for a ServiceNow ITSM connector
  28. connector_properties_servicenow_fields -
  29. connector_properties_servicenow_sir - Create case request properties for a ServiceNow SecOps connector
  30. connector_properties_servicenow_sir_fields -
  31. connector_properties_swimlane - Create case request properties for a Swimlane connector
  32. connector_properties_swimlane_fields -
  33. connector_types -
  34. create_case_request - Create case request
  35. create_case_request_connector -
  36. external_service -
  37. findCaseActivity_200_response -
  38. getCaseComment_200_response -
  39. getCaseConfiguration_200_response_inner -
  40. getCaseConfiguration_200_response_inner_connector -
  41. getCaseConfiguration_200_response_inner_created_by -
  42. getCaseConfiguration_200_response_inner_mappings_inner -
  43. getCaseConfiguration_200_response_inner_updated_by -
  44. getCaseConnectors_200_response_inner -
  45. getCaseConnectors_200_response_inner_config -
  46. getCaseStatus_200_response -
  47. getCasesByAlert_200_response_inner -
  48. getCases_200_response -
  49. getCases_assignees_parameter -
  50. getCases_owner_parameter -
  51. owners -
  52. payload_alert_comment -
  53. payload_alert_comment_comment -
  54. payload_alert_comment_comment_alertId -
  55. payload_alert_comment_comment_index -
  56. payload_assignees -
  57. payload_connector -
  58. payload_connector_connector -
  59. payload_connector_connector_fields -
  60. payload_create_case -
  61. payload_description -
  62. payload_pushed -
  63. payload_settings -
  64. payload_severity -
  65. payload_status -
  66. payload_tags -
  67. payload_title -
  68. payload_user_comment -
  69. payload_user_comment_comment -
  70. rule - Alerting rule
  71. setCaseConfiguration_request -
  72. setCaseConfiguration_request_connector -
  73. setCaseConfiguration_request_settings -
  74. settings -
  75. severity_property -
  76. status -
  77. updateCaseConfiguration_request -
  78. update_alert_comment_request_properties - Update case comment request properties for alerts
  79. update_case_comment_request - Update case comment request
  80. update_case_request - Update case request
  81. update_case_request_cases_inner -
  82. update_user_comment_request_properties - Update case comment request properties for user comments
  83. user_actions_find_response_properties -
  84. user_actions_response_properties -
  85. user_actions_response_properties_created_by -
  86. user_actions_response_properties_payload -
  87. user_comment_response_properties - Case response properties for user comments

4xx_response - Unsuccessful cases API response Up

error (optional)
message (optional)
statusCode (optional)

Case_response_properties_for_comments_inner - Up

alertId (optional)
created_at (optional)
Date format: date-time
created_by (optional)
id (optional)
index (optional)
owner (optional)
pushed_at (optional)
Date format: date-time
pushed_by (optional)
rule (optional)
type
Enum:
user
updated_at (optional)
Date format: date-time
updated_by (optional)
version (optional)
comment (optional)

Case_response_properties_for_connectors - Case response properties for connectors Up

fields
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
name
String The name of the connector.
type
String The type of connector.
Enum:
.swimlane

action_types - Up

The type of action.

add_alert_comment_request_properties - Add case comment request properties for alerts Up

Defines properties for case comment requests when type is alert.
alertId
index
owner
rule
type
String The type of comment.
Enum:
alert

add_case_comment_request - Add case comment request Up

The add comment to case API request body varies depending on whether you are adding an alert or a comment.
alertId
index
owner
rule
type
String The type of comment.
Enum:
user
comment
String The new comment. It is required only when type is user.

add_user_comment_request_properties - Add case comment request properties for user comments Up

Defines properties for case comment requests when type is user.
comment
String The new comment. It is required only when type is user.
owner
type
String The type of comment.
Enum:
user

alert_comment_response_properties - Add case comment response properties for alerts Up

alertId (optional)
created_at (optional)
Date format: date-time
created_by (optional)
id (optional)
index (optional)
owner (optional)
pushed_at (optional)
Date format: date-time
pushed_by (optional)
rule (optional)
type
Enum:
alert
updated_at (optional)
Date format: date-time
updated_by (optional)
version (optional)

alert_comment_response_properties_rule - Up

id (optional)
String The rule identifier.
name (optional)
String The rule name.

alert_identifiers - Alert identifiers Up

The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

alert_indices - Alert indices Up

The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

alert_response_properties - Up

attached_at (optional)
Date format: date-time
id (optional)
String The alert identifier.
index (optional)
String The alert index.

assignees_inner - Up

uid
String A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

case_response_properties - Case response properties Up

assignees (optional)
array[assignees_inner] An array containing users that are assigned to the case.
closed_at
Date format: date-time
closed_by
comments
array[Case_response_properties_for_comments_inner] An array of comment objects for the case.
connector
created_at
Date format: date-time
created_by
description
duration
Integer The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
external_service
id
owner
settings
severity
status
tags
title
totalAlerts
totalComment
updated_at
Date format: date-time
updated_by
version

closure_types - Up

Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

connector_properties_cases_webhook - Create or upate case request properties for Cases Webhook connector Up

Defines properties for connectors when type is .cases-webhook.
fields
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
name
String The name of the connector.
type
String The type of connector.
Enum:
.cases-webhook

connector_properties_jira - Create or update case request properties for a Jira connector Up

Defines properties for connectors when type is .jira.
fields
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
name
String The name of the connector.
type
String The type of connector.
Enum:
.jira

connector_properties_jira_fields - Up

An object containing the connector fields. If you want to omit any individual field, specify null as its value.
issueType
String The type of issue.
parent
String The key of the parent issue, when the issue type is sub-task.
priority
String The priority of the issue.

connector_properties_none - Create or update case request properties for no connector Up

Defines properties for connectors when type is .none.
fields
String An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
id
String The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
name
String The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
type
String The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
Enum:
.none

connector_properties_resilient - Create case request properties for a IBM Resilient connector Up

Defines properties for connectors when type is .resilient.
fields
id
String The identifier for the connector.
name
String The name of the connector.
type
String The type of connector.
Enum:
.resilient

connector_properties_resilient_fields - Up

An object containing the connector fields. If you want to omit any individual field, specify null as its value.
issueTypes
array[String] The type of incident.
severityCode
String The severity code of the incident.

connector_properties_servicenow - Create case request properties for a ServiceNow ITSM connector Up

Defines properties for connectors when type is .servicenow.
fields
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
name
String The name of the connector.
type
String The type of connector.
Enum:
.servicenow

connector_properties_servicenow_fields - Up

An object containing the connector fields. If you want to omit any individual field, specify null as its value.
category
String The category of the incident.
impact
String The effect an incident had on business.
severity
String The severity of the incident.
subcategory
String The subcategory of the incident.
urgency
String The extent to which the incident resolution can be delayed.

connector_properties_servicenow_sir - Create case request properties for a ServiceNow SecOps connector Up

Defines properties for connectors when type is .servicenow-sir.
fields
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
name
String The name of the connector.
type
String The type of connector.
Enum:
.servicenow-sir

connector_properties_servicenow_sir_fields - Up

An object containing the connector fields. If you want to omit any individual field, specify null as its value.
category
String The category of the incident.
destIp
Boolean Indicates whether cases will send a comma-separated list of destination IPs.
malwareHash
Boolean Indicates whether cases will send a comma-separated list of malware hashes.
malwareUrl
Boolean Indicates whether cases will send a comma-separated list of malware URLs.
priority
String The priority of the issue.
sourceIp
Boolean Indicates whether cases will send a comma-separated list of source IPs.
subcategory
String The subcategory of the incident.

connector_properties_swimlane - Create case request properties for a Swimlane connector Up

Defines properties for connectors when type is .swimlane.
fields
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
name
String The name of the connector.
type
String The type of connector.
Enum:
.swimlane

connector_properties_swimlane_fields - Up

An object containing the connector fields. If you want to omit any individual field, specify null as its value.
caseId
String The case identifier for Swimlane connectors.

connector_types - Up

The type of connector.

create_case_request - Create case request Up

The create case API request body varies depending on the type of connector.
assignees (optional)
array[assignees_inner] An array containing users that are assigned to the case.
connector
description
String The description for the case.
owner
settings
severity (optional)
tags
array[String] The words and phrases that help categorize cases. It can be an empty array.
title
String A title for the case.

create_case_request_connector - Up

fields
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
name
String The name of the connector.
type
String The type of connector.
Enum:
.swimlane

external_service - Up

connector_id (optional)
connector_name (optional)
external_id (optional)
external_title (optional)
external_url (optional)
pushed_at (optional)
Date format: date-time
pushed_by (optional)

findCaseActivity_200_response - Up

page (optional)
perPage (optional)
total (optional)
userActions (optional)

getCaseComment_200_response - Up

alertId (optional)
created_at (optional)
Date format: date-time
created_by (optional)
id (optional)
index (optional)
owner (optional)
pushed_at (optional)
Date format: date-time
pushed_by (optional)
rule (optional)
type
Enum:
user
updated_at (optional)
Date format: date-time
updated_by (optional)
version (optional)
comment (optional)

getCaseConfiguration_200_response_inner - Up

closure_type (optional)
connector (optional)
created_at (optional)
Date format: date-time
created_by (optional)
error (optional)
id (optional)
mappings (optional)
owner (optional)
updated_at (optional)
Date format: date-time
updated_by (optional)
version (optional)

getCaseConfiguration_200_response_inner_connector - Up

fields (optional)
Object The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
id (optional)
String The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
name (optional)
String The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
type (optional)

getCaseConfiguration_200_response_inner_created_by - Up

email (optional)
full_name (optional)
username (optional)
profile_uid (optional)

getCaseConfiguration_200_response_inner_mappings_inner - Up

action_type (optional)
source (optional)
target (optional)

getCaseConfiguration_200_response_inner_updated_by - Up

email (optional)
full_name (optional)
username (optional)
profile_uid (optional)

getCaseConnectors_200_response_inner - Up

actionTypeId (optional)
config (optional)
id (optional)
isDeprecated (optional)
isMissingSecrets (optional)
isPreconfigured (optional)
name (optional)
referencedByCount (optional)

getCaseConnectors_200_response_inner_config - Up

apiUrl (optional)
projectKey (optional)

getCaseStatus_200_response - Up

count_closed_cases (optional)
count_in_progress_cases (optional)
count_open_cases (optional)

getCasesByAlert_200_response_inner - Up

id (optional)
String The case identifier.
title (optional)
String The case title.

getCases_200_response - Up

cases (optional)
count_closed_cases (optional)
count_in_progress_cases (optional)
count_open_cases (optional)
page (optional)
per_page (optional)
total (optional)

owners - Up

The application that owns the cases: Stack Management, Observability, or Elastic Security.

payload_assignees - Up

assignees (optional)
array[assignees_inner] An array containing users that are assigned to the case.

payload_connector_connector - Up

fields (optional)
id (optional)
String The identifier for the connector. To create a case without a connector, use none.
name (optional)
String The name of the connector. To create a case without a connector, use none.
type (optional)

payload_connector_connector_fields - Up

An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
caseId (optional)
String The case identifier for Swimlane connectors.
category (optional)
String The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
destIp (optional)
Boolean Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
impact (optional)
String The effect an incident had on business for ServiceNow ITSM connectors.
issueType (optional)
String The type of issue for Jira connectors.
issueTypes (optional)
array[String] The type of incident for IBM Resilient connectors.
malwareHash (optional)
Boolean Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
malwareUrl (optional)
Boolean Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
parent (optional)
String The key of the parent issue, when the issue type is sub-task for Jira connectors.
priority (optional)
String The priority of the issue for Jira and ServiceNow SecOps connectors.
severity (optional)
String The severity of the incident for ServiceNow ITSM connectors.
severityCode (optional)
String The severity code of the incident for IBM Resilient connectors.
sourceIp (optional)
Boolean Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
subcategory (optional)
String The subcategory of the incident for ServiceNow ITSM connectors.
urgency (optional)
String The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.

payload_create_case - Up

assignees (optional)
array[assignees_inner] An array containing users that are assigned to the case.
connector (optional)
description (optional)
owner (optional)
settings (optional)
severity (optional)
status (optional)
tags (optional)
title (optional)

payload_description - Up

description (optional)

payload_pushed - Up

externalService (optional)

payload_settings - Up

settings (optional)

payload_status - Up

status (optional)

payload_title - Up

title (optional)

payload_user_comment_comment - Up

comment (optional)
owner (optional)
type (optional)
Enum:
user

rule - Alerting rule Up

The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
id (optional)
String The rule identifier.
name (optional)
String The rule name.

setCaseConfiguration_request_connector - Up

An object that contains the connector configuration.
fields
Object The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
id
String The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
name
String The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
type

setCaseConfiguration_request_settings - Up

An object that contains the case settings.
syncAlerts
Boolean Turns alert syncing on or off.

settings - Up

An object that contains the case settings.
syncAlerts
Boolean Turns alert syncing on or off.

severity_property - Up

The severity of the case.

status - Up

The status of the case.

updateCaseConfiguration_request - Up

closure_type (optional)
connector (optional)
version
String The version of the connector. To retrieve the version value, use the get configuration API.

update_alert_comment_request_properties - Update case comment request properties for alerts Up

Defines properties for case comment requests when type is alert.
alertId
id
String The identifier for the comment. To retrieve comment IDs, use the get comments API.
index
owner
rule
type
String The type of comment.
Enum:
alert
version
String The current comment version. To retrieve version values, use the get comments API.

update_case_comment_request - Update case comment request Up

The update case comment API request body varies depending on whether you are updating an alert or a comment.
alertId
id
String The identifier for the comment. To retrieve comment IDs, use the get comments API.
index
owner
rule
type
String The type of comment.
Enum:
user
version
String The current comment version. To retrieve version values, use the get comments API.
comment
String The new comment. It is required only when type is user.

update_case_request - Update case request Up

The update case API request body varies depending on the type of connector.
cases
array[update_case_request_cases_inner] An array containing one or more case objects.

update_case_request_cases_inner - Up

assignees (optional)
array[assignees_inner] An array containing users that are assigned to the case.
connector (optional)
description (optional)
String An updated description for the case.
id
String The identifier for the case.
settings (optional)
severity (optional)
status (optional)
tags (optional)
array[String] The words and phrases that help categorize cases.
title (optional)
String A title for the case.
version
String The current version of the case. To determine this value, use the get case or find cases APIs.

update_user_comment_request_properties - Update case comment request properties for user comments Up

Defines properties for case comment requests when type is user.
comment
String The new comment. It is required only when type is user.
id
String The identifier for the comment. To retrieve comment IDs, use the get comments API.
owner
type
String The type of comment.
Enum:
user
version
String The current comment version. To retrieve version values, use the get comments API.

user_actions_find_response_properties - Up

action
comment_id
created_at
Date format: date-time
created_by
id
owner
payload
version
type
String The type of action.
Enum:
assignees
create_case
comment
connector
description
pushed
tags
title
status
settings
severity

user_actions_response_properties_created_by - Up

email
full_name
username
profile_uid (optional)

user_actions_response_properties_payload - Up

comment (optional)
assignees (optional)
array[assignees_inner] An array containing users that are assigned to the case.
connector (optional)
description (optional)
owner (optional)
settings (optional)
severity (optional)
status (optional)
tags (optional)
title (optional)
externalService (optional)

user_comment_response_properties - Case response properties for user comments Up

comment (optional)
created_at (optional)
Date format: date-time
created_by (optional)
id (optional)
owner (optional)
pushed_at (optional)
Date format: date-time
pushed_by (optional)
type
Enum:
user
updated_at (optional)
Date format: date-time
updated_by (optional)
version (optional)